nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into stable

Browse source
This commit is contained in:
Dennis Schubert 2015-12-20 00:41:49 +01:00
commit c238329cd8
5 changed files with 26 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Changelog.md
View file

@ -11,6 +11,11 @@
## Features ## Features
# 0.5.5.1
* Fix XSS on profile pages
* Bump nokogiri to fix several libxml2 CVEs, see http://www.ubuntu.com/usn/usn-2834-1/
# 0.5.5.0 # 0.5.5.0
## Bug fixes ## Bug fixes

2
Gemfile
View file

@ -126,7 +126,7 @@ gem "messagebus_ruby_api", "1.0.3"
# Parsing # Parsing
gem "nokogiri", "1.6.6.4" gem "nokogiri", "1.6.7.1"
gem "redcarpet", "3.3.3" gem "redcarpet", "3.3.3"
gem "twitter-text", "1.13.0" gem "twitter-text", "1.13.0"
gem "roxml", "3.1.6" gem "roxml", "3.1.6"

8
Gemfile.lock
View file

@ -436,7 +436,7 @@ GEM
method_source (0.8.2) method_source (0.8.2)
mime-types (2.6.2) mime-types (2.6.2)
mini_magick (4.3.6) mini_magick (4.3.6)
mini_portile (0.6.2) mini_portile2 (2.0.0)
minitest (5.8.2) minitest (5.8.2)
mobile-fu (1.3.1) mobile-fu (1.3.1)
rack-mobile-detect rack-mobile-detect
@ -453,8 +453,8 @@ GEM
net-ssh (>= 2.6.5) net-ssh (>= 2.6.5)
net-ssh (3.0.1) net-ssh (3.0.1)
nio4r (1.1.1) nio4r (1.1.1)
nokogiri (1.6.6.4) nokogiri (1.6.7.1)
mini_portile (~> 0.6.0) mini_portile2 (~> 2.0.0.rc2)
notiffany (0.0.8) notiffany (0.0.8)
nenv (~> 0.1) nenv (~> 0.1)
shellany (~> 0.0) shellany (~> 0.0)
@ -817,7 +817,7 @@ DEPENDENCIES
minitest minitest
mobile-fu (= 1.3.1) mobile-fu (= 1.3.1)
mysql2 (= 0.3.20) mysql2 (= 0.3.20)
nokogiri (= 1.6.6.4) nokogiri (= 1.6.7.1)
omniauth (= 1.2.2) omniauth (= 1.2.2)
omniauth-facebook (= 2.0.1) omniauth-facebook (= 2.0.1)
omniauth-tumblr (= 1.1) omniauth-tumblr (= 1.1)

8
app/assets/javascripts/app/helpers/handlebars-helpers.js
View file

@ -42,15 +42,15 @@ Handlebars.registerHelper('linkToPerson', function(context, block) {
}); });
// relationship indicator for profile page // relationship indicator for profile page
Handlebars.registerHelper('sharingMessage', function(person) { Handlebars.registerHelper("sharingMessage", function(person) {
var i18n_scope = 'people.helper.is_not_sharing'; var i18nScope = "people.helper.is_not_sharing";
var icon = "circle"; var icon = "circle";
if( person.is_sharing ) { if( person.is_sharing ) {
i18n_scope = 'people.helper.is_sharing'; i18nScope = "people.helper.is_sharing";
icon = "entypo check"; icon = "entypo check";
} }
var title = Diaspora.I18n.t(i18n_scope, {name: person.name}); var title = Diaspora.I18n.t(i18nScope, {name: _.escape(person.name)});
var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+ var html = '<span class="sharing_message_container" title="'+title+'" data-placement="bottom">'+
' <i id="sharing_message" class="'+icon+'"></i>'+ ' <i id="sharing_message" class="'+icon+'"></i>'+
'</span>'; '</span>';

12
spec/javascripts/app/helpers/handlebars-helpers_spec.js Normal file
View file

@ -0,0 +1,12 @@
describe("Handlebars helpers", function() {
beforeEach(function() {
Diaspora.I18n.load({people: {helper: {"is_not_sharing": "<%= name %> is not sharing with you"}}});
});
describe("sharingMessage", function() {
it("escapes the person's name", function() {
var person = { name: "\"><script>alert(0)</script> \"><script>alert(0)</script>"};
expect(Handlebars.helpers.sharingMessage(person)).not.toMatch(/<script>/);
});
});
});